da...@lang.hm wrote: > On Mon, 19 Oct 2009, Esther Schindler wrote: > >> Anyhow, here's what she's looking for: >> >>> Microsoft demonstrated DirectAccess for its new OS, Windows 7. >>> DirectAccess is a way to give mobile users more convenient access to >>> the network without having to fire up a VPN connection. On the user >>> side, we get to eliminate VPN connectivity issues, while on the admin >>> side, well, what does that mean?
Depending on the company, it may mean "yet another MS feature that we have to disable". Our global policy specifies that "split tunneling", a simultaneous connection to the public internet and our internal network is prohibited. We are forced to require a VPN client that allows us to force that particular option in the client in such a way that the user can't turn it off. Sure they want to print to their home printer while connected to our VPN, or access their home server with all their MP3s, but that's specifically what we must prevent. If you don't think this is important, I can refer you to any number of corporate breaches :-) As an Enterprise customer, I need to be able to at least: * set specific policies (no split tunneling) * force specific VPN technology including encryption algorithms (IPSEC, AES, etc) * ensure proper key and credential management, including two-factor or challenge/response * audit activities while user is connected to the VPN I think the point about wanting our users to be very aware of when they are attached to the Corp networks is also important. MS has always been much better about addressing the needs of businesses, so I'm sure this is in there somewhere. _______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
